Saturday, January 26, 2013

Wireless "Deauth" Attack using Aireplay-ng, Python, and Scapy

Introduction

A couple of days ago I received my order of a nifty Alfa AWUS036H and decided it'd be a perfect time to explore a few common wireless attacks. This post will explore how to perform a common "Deauthentication Attack" both the "easy" way using a fantastic tool called aireplay-ng, as well as writing our own tool in Python to perform the attack for us using the extremely powerful Scapy module. In this post I won't be going into detail about basic wireless mechanisms, but if you'd like a very comprehensive guide to understanding the topic, I really recommend the Wireless LAN Security and Penetration Testing Megaprimer on SecurityTube. With that said, let's deauth some clients.

Alfa AWUS036H

What are Deauth Attacks Used For?

Before we start performing deauth attacks, let's first get an understanding of what they can be used for. Obviously, the primary thing they can do is force stations (clients) off of a given network, causing a Denial of Service (DoS) attack. We can also use deauth attacks to reveal otherwise hidden SSIDs (not included in Beacon frames) by disconnecting the clients, and then monitoring for Probe Requests which always contain the SSID.

Performing a Deauth Attack the "Easy" Way

Let's start by performing a deauth attack the "easy" way using tools already available in Backtrack. The first step will be to put our Alfa wireless card in "monitor mode". This will allow us to monitor all traffic detected without having to first associate with an access point. This is important as it will allow us to deauth clients on a wireless network without being authenticated to it. We will use the tool "airmon-ng" to create a monitor mode interface as follows:

After we've created our monitor mode interface, we can use the tool "airodump-ng" to scan across different channels to enumerate both access points and their associated BSSID's as well as client stations, their MAC addresses, and any known SSIDs (found by monitoring Probe Requests).

Let's target the "raidersec" network. First, we see that the network is on channel 11, so we need to set both our wlan0 and mon0 interfaces to use this channel using the "iwconfig" command. Then, after grabbing the BSSID from airodump-ng (note: we could just use the ESSID, however we're trying to be comprehensive), we can use the tool "aireplay-ng" to inject deauthentication packets into the network by spoofing the BSSID of the access point. This will cause clients to disconnect from the network, and staying offline until we stop sending out deauth packets. Here's a sample session (you can't see it, but this does indeed disconnect all my devices connected to the "raidersec" network).

Leveraging Scapy to Perform a Deauth Attack

Scapy is a very powerful Python module which allows us to sniff, create, manipulate, filter, and display network traffic down to the individual packet. You can find the basics of how to use Scapy here. We can leverage this functionality to create a tool which performs the same attack seen above. Let's see how we can implement this.

First, let's create a script which will print the BSSID and ESSID of all detected wireless networks. We will use the os module to perform channel hopping so that we can enumerate networks on multiple channels (note: this functionality was first seen on airoscapy.py). We will store all this information in a dictionary which associates the BSSID and channel with the found ESSID.

As a quick side note, you will note in airoscapy.py that the channel can be found by looking at the third Dot11Elt layer of the packet, and performing both the ord() and int() functions on it. This was a clever insight, and I wanted to make particular note of it. We can verify this from the following Wireshark capture of a beacon frame from our raidersec AP:

Here is the code to sniff for access points:

It's important to mention that this code implements Scapy sniff() function's "stop_filter" parameter, which was introduced in version 2.1.1. As of this writing, the version included in Backtrack is 2.0.1, so if you are using Backtrack, you will need to upgrade (or just patch your sendrecv.py file). Using this callback may seem somewhat unnecessary, but it will help in a big project I'm currently working on (and will release sometime soon! ).

Let's take a look at the output:

Nice. Now that we have a dictionary containing our BSSIDs, ESSIDs, and channels, let's add the ability to perform a deauth_attack() function will take in our dictionary entry for a particular BSSID as well as an optional client MAC address (for targeted attacks) and perform a deauth attack. We will use Scapy's layered packet construction to make our deauth packet and send it using the send() function. Let's first take a look at the perform_deauth() function:

Now, here's the code we'll tack on to our main program flow to call the perform_deauth() function after getting relevant information from the user:

Finally, let's run it and see the output:

Worked like a charm! It disconnected all clients on the raidersec WLAN. You can find the full source here.

Scapy is an extremely powerful tool. By leveraging its packet sniffing and injecting capabilities, we can replicate many attacks on wireless infrastructure. I hope you enjoyed learning a little more about what Scapy has to offer, and as always don't hesitate to leave a comment below to let me know what you think!

Hi, I wanted to know how I can leverage Scapy to tell me the Encryption type as well (WEP, WPA, WPA2, WPS Enabled). I am doing some research on Wifi security and I really need to code something using python and scapy that would tell me the ENC type. Can you help please?